Researchers, poll spark response to Microsoft security |
 |
By Shawna McAlearney, Staff Writer
19 Dec 2003 | Security Wire Perspectives |
|
|
Passions about Microsoft's product security tend to run hot. Despite the gains Microsoft's made in
promoting more secure software, a majority of security practitioners appear to still believe current
results fall well short when it comes to the software giant's OS and applications software security.
That sentiment, extracted from a recent minipoll, may provide the type of fuel to reheat the security
research community's ongoing full-disclosure debate.
Several weeks ago Chinese researcher Liu Die Yu posted several Internet Explorer flaws to the
Full-Disclosure security mailing list. His reasoning: Microsoft hasn't given him credit for prior
vulnerabilities he reported.
That rationale doesn't sit well with some security practitioners.
"I believe that protecting other's assets should come before our ego," said Justin G. Francis, a
security administrator at an entertainment retailer. He suggests that individuals who find flaws take other
steps to prove that they were first in uncovering a flaw.
Other reasons researchers have given for similar announcements include fear of prosecution and
excessively long delays in the patch creation process. Many have cited full, public disclosure as a
necessary component to get vendors to solve a security problem.
"Perhaps all of these flaws should be sent to the vendor and to the Department of Homeland Security,"
said Richard Guaraldo, director of information security for an East Coast public relations firm. "DHS
should then have some system to see that they are dealt with swiftly and efficiently by the software
vendor. Perhaps there should also be a list indicating the date of discovery of a flaw, but not describing
the nature of the flaw, thereby not accelerating exploitation. The flaw could even be given an ID
number."
"The goal is to expose the problem and put the vendor on notice that it needs to be fixed ASAP, without
unnecessarily publishing the details of the problem," added Guaraldo. "The response of providing a fix to
the flaw ID number signifies the problem has been corrected."
Whatever individual feelings on disclosure, a recent Security Wire Perspectives minipoll reveals that
60% of our readers who responded don't think Microsoft is doing enough to address OS and application patch
management issues. Nearly 70% don't believe Microsoft is doing enough to improve its software security.
Of more than 450 respondents, 55% say Microsoft's security hasn't changed since it launched its
Trustworthy Computing initiative in 2002.
In 2003, Microsoft created a centralized patch site, began issuing its patches monthly instead of weekly
and reduced its patch size. However, 64% think its recent patching process initiatives will save time, but
don't address the root of the security problem.
Microsoft couldn't comment as of press time.
|
